- Package:
- src:radare2
- Source:
- src:radare2
- Submitter:
- Adrian Bunk
- Date:
- 2026-01-26 20:37:14 UTC
- Severity:
- normal
- Tags:
It is understandable (and normal for most software) that upstream is not able or willing to provide security support for the old version shipped in stable distribution releases. But below seems to be upstream actively encouraging exploiting the version in stable. AFAIK Debian in general tries to avoid shipping software when upstream strongly objects to it, or is openly hostile towards Debian. <-- snip --> https://rada.re/con/2019/ PwnDebian Since the very begining of radare development we had people complaining of bugs because they were using the 3-4 year old version shipped in their distro. We tried to work with everyone who ships builds of r2 to always get updates and merge back their patches upstream so everyone gets benefit out of it. But that has been not enough. In github/radare2 we can check out most of known/used Linux and BSD distros and the shipped r2 version, and it's pretty clear that Debian/Ubuntu stopped updating those packages long time ago (3.2.1). Yes, the 0.9.6 drama is over. The aim of this competition is to publish a working exploit for radare2 on Debian stable (nowadays, unstable keeps the same version). To show that debian-security and backporting patches is not solving enough when distributing such state-of-the-art packages. In order to win this competition. We will accept only 1 working exploit (the first one to submit it) for radare2-3.2.1 (built for x86-64 debian/stable). Additional points will be given for writing some notes or presenting at r2con the way the vuln was found and how the exploit was developed.
Hi, [...] FTR, this was as well raised back in [1]. AFAIK there was no direct feedback to the question from Moritz back then. [1] https://lists.debian.org/debian-security/2019/08/msg00033.html Regards, Salvatore
Yeah, we should at least remove radare2 from oldstable (IIRC for
buster there's an rdep which prevents that)
Cheers,
Moritz
* Moritz Mühlenhoff: That reverse dependency is radare2-cutter which should be treated the same as radare2, IMO. Cheers, -Hilko
Hi Hilko, So, there would be a point release for buster and stretch very soon. If you feel there is agreement within the Debian Security Tools team on it, can any of you fill the respective removal requests for the upcoming point release? Regards, Salvatore
Given that the point releases are close, I went ahead and filed removal
bugs.
Cheers,
Moritz
We believe that the bug you reported is fixed in the latest version of
radare2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 950372@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alex Myczko <tar@debian.org> (supplier of updated radare2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Thu, 25 Apr 2024 15:46:50 +0200
Source: radare2
Architecture: source
Version: 5.9.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Security Tools <team+pkg-security@tracker.debian.org>
Changed-By: Alex Myczko <tar@debian.org>
Closes: 950372 1014478 1014490 1016979 1027144 1029037 1032667 1034180 1034862 1051898 1054908 1055854 1056930 1060127
Changes:
radare2 (5.9.0+dfsg-1) unstable; urgency=medium
.
* New upstream version. (Closes: #1034862, #1060127, #950372)
(Closes: #1056930) (CVE-2023-47016)
(Closes: #1032667) (CVE-2023-27114)
(Closes: #1055854) (CVE-2023-5686)
(Closes: #1054908) (CVE-2023-46570) (CVE-2023-46569)
(Closes: #1051898) (CVE-2023-4322)
(Closes: #1034180) (CVE-2023-1605)
(Closes: #1029037) (CVE-2023-0302)
(Closes: #1027144) (CVE-2022-4398)
(Closes: #1016979) (CVE-2022-34502) (CVE-2022-34520)
(Closes: #1014490) (CVE-2021-44975) (CVE-2021-44974) (CVE-2021-4021)
(Closes: #1014478) (CVE-2022-1714 CVE-2022-1809 CVE-2022-1899 CVE-2022-0849
CVE-2022-1052 CVE-2022-1061 CVE-2022-1207 CVE-2022-1237
CVE-2022-1238 CVE-2022-1240 CVE-2022-1244 CVE-2022-0476
CVE-2022-0518 CVE-2022-0519 CVE-2022-0521 CVE-2022-0523
CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-0712
CVE-2022-0713 CVE-2022-0139 CVE-2022-0173 CVE-2022-0419
CVE-2022-1031 CVE-2022-1283 CVE-2022-1284 CVE-2022-1296
CVE-2022-1297 CVE-2022-1382 CVE-2022-1444 CVE-2022-1437
CVE-2022-1451 CVE-2022-1452 CVE-2022-1649 CVE-2022-1383)
Checksums-Sha1:
6aaf46d1cd2d740cc4129753d4bee1f84b50c740 2424 radare2_5.9.0+dfsg-1.dsc
fd7a9ff7105bd15f313182c8c02496f9f47ac78e 7248984 radare2_5.9.0+dfsg.orig.tar.xz
6b9d0e7d6d3e892bc8f9924abc2f89c681cd75a3 17232 radare2_5.9.0+dfsg-1.debian.tar.xz
4f936e002d5b6662f8f3699bc5f9f87444f76bc5 8546 radare2_5.9.0+dfsg-1_source.buildinfo
Checksums-Sha256:
d54adc2144a010999089f5c309adb46c8a64a9a8a35571975f7fd840e9066c47 2424 radare2_5.9.0+dfsg-1.dsc
02932c7eabc63878b4ab6375e7e6603ef84dcb9c6352c351919021d3d2c89765 7248984 radare2_5.9.0+dfsg.orig.tar.xz
cb2ac3cc22c084bec7c2ba24e9474f71ccd1861e62d4c82224deb3ed98c06b6f 17232 radare2_5.9.0+dfsg-1.debian.tar.xz
327a2bec8c87c421c892a5967d85e2ccd3c7c428347d8d638b2197b73124ee24 8546 radare2_5.9.0+dfsg-1_source.buildinfo
Files:
ac7b3678ec07629d7005825fe0f2eab8 2424 devel optional radare2_5.9.0+dfsg-1.dsc
c67ae12ae0b3a6497aababa89862d8ae 7248984 devel optional radare2_5.9.0+dfsg.orig.tar.xz
5f5218a3ce37466455be75e9b4b1d00a 17232 devel optional radare2_5.9.0+dfsg-1.debian.tar.xz
1666f9e10e4e76ea65f27c812677bb57 8546 devel optional radare2_5.9.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEtgob82PcExn/Co6JEWhSvN91FcAFAmYqYygACgkQEWhSvN91
FcD8KxAAjBu59z1TyLPQI4YhzT48O8bUPZ0Va9l+TrFaQZ0Cdwr1Es6QOxtM8BL+
B6c0DyRX/3oqpjdtgkGUm+/vrrgHXXQNWbb/ue56a3R1hrnadJdTqM7DmyaBrlTX
aNAWcIWEodHMysUU+d4JFnwCj/YmsCDFpakqVkT+YZB23I0agOB/Tr0yySI6vPSK
OUdGKKzS5aB6+tRd9MnbSS0dFeHpvovBY4jkxXG8BJO6Cqv4jjP1SapcXGTqfl9Y
QJDfpFT9xkCVN1DyOCmXN7jMATPRr0xbeiM5Pf/1VRnic/s6feE78MGs14HGISlT
RSCEbwTHuREI58SYSv4YtBuJRrEMcFylaZT5la3eX/dp4uc6KggcPhw0csVPxLwi
YxQZU7mxqb84G2+CFM2jBDCrq7yffivAVt+DZ8CVKFhJ7o3hRhVDKNT2lT9cwPDt
lqL4C0Ije1wq8ldYTe7YL3c8BWwh4pxzOgppTMWRN1KdF6gDwdz/JTjYeIUywhSe
lzCGuIGOvw4NFavC/2rDr3hYkuKMHTIRwFswI7vyJlg29n5eMlKZX+plEP+G5aNN
a1rDrZyD+aNV1eqjFinRPrqI1eSekBizzT3mBSow8I4jv6A36GxLk/flmcbuvozH
3E9aCxmjork1cAwr9vzfxQY9cnk3Y99gAo+3GsVIbtfE7Me8fMI=
=ZgBH
-----END PGP SIGNATURE-----
Hi Alex, has there been any change in the attitude radare2 upstream has towards distributions? cu Adrian
Hello, Bug #950372 in radare2 reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at: https://salsa.debian.org/pkg-security-team/radare2/-/commit/c6fd5e6d3cbf4780aff2b2aeab9771e1ef73d329 ------------------------------------------------------------------------ Import Debian changes 5.9.2+dfsg-1~bpo12+1 radare2 (5.9.2+dfsg-1~bpo12+1) bookworm-backports; urgency=medium . * Rebuild for bookworm-backports. . radare2 (5.9.2+dfsg-1) unstable; urgency=medium . * New upstream version. * d/rules: skip dh_dwz. * d/copyright: updated. . radare2 (5.9.0+dfsg-2) unstable; urgency=medium . * d/control: drop libkvm-dev, freebsd-glue from build-depends. . radare2 (5.9.0+dfsg-1) unstable; urgency=medium . * New upstream version. (Closes: #1034862, #1060127, #950372) (Closes: #1056930) (CVE-2023-47016) (Closes: #1032667) (CVE-2023-27114) (Closes: #1055854) (CVE-2023-5686) (Closes: #1054908) (CVE-2023-46570) (CVE-2023-46569) (Closes: #1051898) (CVE-2023-4322) (Closes: #1034180) (CVE-2023-1605) (Closes: #1029037) (CVE-2023-0302) (Closes: #1027144) (CVE-2022-4398) (Closes: #1016979) (CVE-2022-34502) (CVE-2022-34520) (Closes: #1014490) (CVE-2021-44975) (CVE-2021-44974) (CVE-2021-4021) (Closes: #1014478) (CVE-2022-1714 CVE-2022-1809 CVE-2022-1899 CVE-2022-0849 CVE-2022-1052 CVE-2022-1061 CVE-2022-1207 CVE-2022-1237 CVE-2022-1238 CVE-2022-1240 CVE-2022-1244 CVE-2022-0476 CVE-2022-0518 CVE-2022-0519 CVE-2022-0521 CVE-2022-0523 CVE-2022-0559 CVE-2022-0676 CVE-2022-0695 CVE-2022-0712 CVE-2022-0713 CVE-2022-0139 CVE-2022-0173 CVE-2022-0419 CVE-2022-1031 CVE-2022-1283 CVE-2022-1284 CVE-2022-1296 CVE-2022-1297 CVE-2022-1382 CVE-2022-1444 CVE-2022-1437 CVE-2022-1451 CVE-2022-1452 CVE-2022-1649 CVE-2022-1383) . radare2 (5.8.8+dfsg-1) experimental; urgency=medium . * New upstream version. * d/clean: added. * d/control: add myself to Uploaders. * Bump standards version to 4.7.0. . radare2 (5.5.0+dfsg-1.1) unstable; urgency=medium . * Non-maintainer upload. * Rename libraries for 64-bit time_t transition. Closes: #1062769 ------------------------------------------------------------------------ (this message was generated automatically) -- Greetings https://bugs.debian.org/950372
Hi Adrian, I think yes, I was not aware of any more problems during the last years, do you think we can close this bug? cu Alex
Hi Alex, is there an explicit statement from upstream that they want to have their software in stable Debian releases? We did remove radare2 from two stable releases (stretch and buster) in point releases due to this upstream hostility, so any change of attitude should really be explicit to avoid the same problem again. cu Adrian
Hey! There's no explicit change of attitude and it's very likely that there's been no more hostility because there's no radare2 in stable. I worked with the upstream author and we discussed about this several years ago, his main issue is: we need to be up-to-date with the latest things in order to have it functioning, infosec moves too fast and having people just install it from stable turns into troubleshooting noise for them with things they've fixed or changed, sometimes years ago. I suggest to keep this bug open and avoid getting it to stable, radare2 is meant to be used in the latest version, they even suggest to install it from Git, not from a package in a distribution. https://book.rada.re/install/intro.html https://rada.re/n/radare2.html - Jose